Santiago Palladino

Santiago Palladino

Extracting Subject Alternative Name from Microsoft authentication client certificates

2 min
Jan 29 2013
coding, security
2 min
Jan 29 2013

Among the client certificates present in an HSPD-12 smart card, you may find a Windows Smart Card Login certificate used for authentication, which has several particularities, one of them being storing the Subject Alternative Name (this is, the Windows logon and domain of the card’s owner) in an ASN1-encoded UTF8 string in a Microsoft extension (OID 1.3.6.1.4.1.311.20.2.3).

What does this mean? This means that if you attempt to extract the subject alternative name from the certificate using Ruby's OpenSSL::X509 library in the usual way, you'll get a string reading simply "unsupported".

Note that the value returned is a string indeed, not an exception; this is because the underlying unix openssl library, which is wrapped by the Ruby one, returns exactly that value.

In order to properly extract the owner's identification, you'll need to parse the certificate using OpenSSL::ASN1 and going through the hierarchy. The element you are looking for has key "msUPN", this is, Microsoft User Principal Name.

This way, you can set up a solution that works with both Microsoft based certificates and standard X509 authentication certificates.

Please comment if you have found other ways for working with these certificates, I'd love to see other implementations using Ruby's OpenSSL or any other OpenSSL-based library!

[Many thanks to Ed Magidson for his help in understanding and working with these certificates!]